From 7eb4471004ac08734608171f4225e7bc242b18b9 Mon Sep 17 00:00:00 2001
From: Jamie Lokier <jamie@shareable.org>
Date: Mon, 3 May 2021 07:34:17 +0100
Subject: [PATCH] Bugfix: Avoid numeric overflow when validating transaction
 value

It's possible for `tx.value` in the transaction to have a deliberately
constructed large 256-bit value, such that adding `gasLimit * gasPrice` to it
overflows to a small value.

Prior to this patch, the code would allow such a transaction to pass
validation, even though such a large transfer cannot be valid.

Signed-off-by: Jamie Lokier <jamie@shareable.org>
---
 nimbus/p2p/executor.nim | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/nimbus/p2p/executor.nim b/nimbus/p2p/executor.nim
index 783185273..b30e57dea 100644
--- a/nimbus/p2p/executor.nim
+++ b/nimbus/p2p/executor.nim
@@ -19,11 +19,18 @@ proc validateTransaction*(vmState: BaseVMState, tx: Transaction,
       addition=tx.gasLimit
     return
 
-  let totalCost = tx.gasLimit.u256 * tx.gasPrice.u256 + tx.value
-  if totalCost > balance:
-    debug "invalid tx: not enough cash",
+  let gasCost = tx.gasLimit.u256 * tx.gasPrice.u256
+  if gasCost > balance:
+    debug "invalid tx: not enough cash for gas",
       available=balance,
-      require=totalCost
+      require=gasCost
+    return
+
+  if tx.value > balance - gasCost:
+    debug "invalid tx: not enough cash to send",
+      available=balance,
+      availableMinusGas=balance-gasCost,
+      require=tx.value
     return
 
   if tx.gasLimit < tx.intrinsicGas(fork):